Home
Non-daily weblog
Exchange | Board
Files for download
Workshop tutorials
W3 Directory resourcesSetup & config options
Suitable power supply
RasPi & sFTP file transfer
Home network print server
Home network scan server
Mesh : home Lan USB drive
Explore hard & software
UFW firewall explained
Secured by fail2ban server
Software packaging & PPA
Apache 2.4+ LAMP server
https web server : port 443
Varnish caching proxy
Module : cgi & perl
Module : geoip
Modules : php & mysql
http*s error handling
Server : conditional logging
TL-domain & dynamic DNS
Webalizer log analyser
Defeat referrer spam
robots.txt & xml sitemaps
Server : .htaccess handling
The game & not the islands
Setup & config options
North Atlantic : Macaronésia
Nine Azorean islands
Madeiran archipelago
POI on Madeira island
Streaming media
Contact details
Privacy policy & terms
Host traffic elicitation🚫 No ads & tracking
The prologue
Most of the articles, descriptions and instructions written here are applicable to the most common Debian-based Linux derivatives. Depending on the respective operating system, there may be minor or major discrepancies. 
This website is for educational purposes only. Please do not deploy anything in manufacturing plants.
No warranty or compensation is given for loss of data or hardware.
It should be also mentioned that this modest web server is hosted on a Raspberry Pi type 4B at home.
The Raspberry Pi mini-computer board as multi-purpose server deployed
A competent allrounder for domestic purposes and micro-enterprises
Raspberry Pi is a series of small single-board computers (SBCs) developed in the United Kingdom by the Raspberry Pi Foundation in association with Broadcom. The mini-computer with its armv7l processor has quickly become the favourite of hobbyists. Projects can be started with suitable Linux distributions. Even an aged RasPi e.g. the models 2B and 2B+ can definitely serve to simple tasks quite well.
Prologue
First you should consider which codes make sense and which can be skipped. Otherwise, it can result in some unpleasant surprises.
Apache v2.4+ web server | ».htaccess« configuration possibilies
Apache httpd 2.2 is End-of-Life since December 2017 and should not be used. Users are advised to upgrade to the currently supported released version to address known issues.
root@raspberry:# apache2 -v
Server version: Apache/2.4+.53 (Raspbian)
Server built: 2022-03-14T16:28:35
How to create and place ».htaccess« ❓
You can create one by renaming a simple text document and giving it the name ».htaccess«.
Upload this text document to root e.g. /var/www/html/.
Eventually you need to
chmod the ».htaccess« file to 644 or (rw-r–r–) so that the file is usable by apache and prevents it from being read by a web browser.user@raspberry:~ $ sudo su
root@raspberry:# cd /var/www/html
root@raspberry:/var/www/html# chmod 644 .htaccess
One ».htaccess« will affect all subdirectories where it is placed.
To make ».htaccess« working as expected, you need to edit the apache configuration file:
root@raspberry:~# nano /etc/apache2/apache2.conf
<Directory /var/www/>
...
AllowOverride None
...
</Directory>
<Directory /var/www/>
...
AllowOverride All
...
</Directory>
Save Ctrl O the file apache2.conf and close Ctrl X the nano editor.
root@raspberry:~# service apache2 restart
or if Apache requires
root@raspberry:~# systemctl daemon-reload
root@raspberry:~# service apache2 restart
Apache v2.2 versus v2.4+ »mod_rewrite« directives
# Apache v2.2 Order, Allow, Deny
# Apache v2.4+ Require all granted
Require all denied
Require not ip
Require not host
# Apache v2.2 RewriteCond %{http_USER_AGENT} zgrab
RewriteCond %{http_REFERER} (facebook|twitter|amazon)
# Apache v2.4+ RewriteCond "%{http_USER_AGENT}" "zgrab"
RewriteCond "%{http_REFERER}" "(facebook|twitter|amazon)"
Some essential directives in ».htaccess« | Apache v2.4+
# Charset and language
AddDefaultCharset UTF-8
DefaultLanguage en
# Disable directory browsing
Options -Indexes +FollowSymLinks
# Hide the server's OS and port opened in error message pages
ServerSignature Off
# Apache module mod_rewrite must be turned on. Read below.
RewriteEngine on
# Error handling, redirecting to a specific html-file or ext. domain
# 404 Not Found, 403 Access Forbidden, 410 Gone
ErrorDocument 403 https://duck.com/
ErrorDocument 404 /path_to/404.html
ErrorDocument 410 Default
# Entire directoy
Redirect 410 /gone
# Single file
Redirect 410 /gone.html
# AddType associates a mime type with a given extension
# Has no infuence with modern web browsers. You may skip all.
AddType audio/mp3 .mp3
AddType audio/mp3 .wav
AddType audio/ogg .ogg
AddType audeo/webm .webm
AddType image/x-icon .ico
AddType video/mp4 .mp4
AddType video/mp4 .m4v
AddType video/webm .webm
❶ Method to ban unwanted hosts and IPs
If one criteria matches, Apache sends a 403 »Access Forbidden« response.
<RequireAll>
Require all granted
Require not ip 101.202.303.404
Require not ip 101.202.303
Require not ip 101.202
Require not host example.com
Require not host sub.example.com
Require not host sub.example
Require not host example
Require not host exit
Require not host tor
</RequireAll>
<RequireAll>
Require all granted
Require not ip 101.202.303.404 101.202.303 101.202
Require not host example.com sub.example.com sub.example example
Require not host exit tor
</RequireAll>
Study the source : 
https://httpd.apache.org/docs/2.4+/howto/access.html
❷ Method to ban unwanted User-agents, referrers
Never ever use the .co (Colombia) domain, otherwise you block everthing for .co, *.co.* AND .com !
RewriteEngine on
RewriteCond "%{http_USER_AGENT}" "(zgrab|googlego)$" [NC,OR]
RewriteCond "%{http_REFERER}" "^.*(ru|ua|io).*$" [NC]
RewriteRule "(.*)" "-" [F]
RewriteCond "%{http_USER_AGENT}" "(YandexBot|SemrushBot)$" [NC,OR]
RewriteCond "%{http_REFERER} "^.*(ru|ua|cn|by).*$" [NC,OR]
RewriteCond "%{http_REFERER} "(facebook|twitter|youtube)$" [NC]
RewriteRule "(.*)" "-" [F]
❸ Method to forbid access from antique web clients
# some Googlebots run under Chrome/11.x
# some Googlebots run under Chrome/49.x, 41.x
# Googlebots run with Android 6.0
# Bing's BingPreview bots run in NT 6.1 (Windows 7)
RewriteCond "%{HTTP_USER_AGENT}" "(MSIE [5-9]|MSIE 10)" [NC,OR]
RewriteCond "%{HTTP_USER_AGENT}" "(NT [5-6].[2])" [NC,OR]
RewriteCond "%{HTTP_USER_AGENT}" "(Chrome/[2-3]|Chrome/4[2-8]|Chrome/[5-8])" [NC,OR]
RewriteCond "%{HTTP_USER_AGENT}" "(Firefox/[2-9]|Firefox/9.0)" [NC,OR]
RewriteCond "%{HTTP_USER_AGENT}" "(Opera/[2-7])" [NC,OR]
RewriteCond "%{HTTP_USER_AGENT}" "(Android [2-5|Android [7-9])" [NC,OR]
RewriteCond "%{HTTP_USER_AGENT}" "^(Mozilla)$" [NC,OR]
RewriteCond "%{HTTP_USER_AGENT}" "(Mozilla/4|Mozilla/6)" [NC]
RewriteRule "(.*)" "-" [F]
About the RewriteEngine on this requires to activate the »mod_rewrite« module.
How to enable »mod_rewrite« if not yet already :
root@raspberry:~# a2enmod rewrite
Module rewrite (already) enabled
root@raspberry:~# service apache2 restart
Reloads all the Apache config files.
Or as per new unified system control way:
root@raspberry:~# systemctl restart apache2
How to disable php, php5, Perl, CGI execution, if needed :
RewriteRule "^.*\.(php|php5|pl|cgi)$" "-" [F]
Alternative can be used
<FilesMatch "\.(php|php5|pl|cgi)$">
Require all denied
</FilesMatch>
How to allow only certain request method :
RewriteCond "%{REQUEST_METHOD}" "!(GET|HEAD|POST)"
RewriteRule "(.*)" "-" [F]
Alternative can be used
<RequireAny>
Require method GET HEAD POST
</RequireAny>
16-Jan 2018
Updated 11-Jul 2022
To be with »https://www.« or not to be with »https://www.« ❓
This depends on your domain package and support purchased. Point out that without the »www.« it simply not always necessary. Neither is better than the other. But it is recommended that you use only one format. Either of the format is equally good. Without »www.« all URLs are shorter, easier to read and quicker to type.
root@raspberry:# nano /var/www/html/.htaccess
Implement this snippet beyond of others on top of the ».htaccess« file.
...
RewriteEngine on
Options +FollowSymLinks
...
RewriteCond %{HTTPS} Off [OR]
RewriteCond "%{HTTP_HOST}" "^www\.example\.com$" [NC]
RewriteRule (.*) "https://example.com/$1" [R=308,L]
...
Please note that this code may cause the renewal / prolongation of the SSL certificate to fail.
The same for »http://www.« if only supported.
...
RewriteCond "%{HTTP_HOST}" "^www\.example\.com$" [NC]
RewriteRule (.*) "http://example.com/$1" [R=308,L]
...
08-Apr 2018
Updated 26-Jun 2022
Custom 403 error message easily made
A good idea has to let the visitor knowing what occured exactly.
Not every HTML-tag is permitted like the CSS style tags. HTML5 code rules out totally.
Watch out the quotation marks with "<html> and </html>".
root@raspberry:# nano /var/www/html/.htaccess
REMOVE ALL line breaks & white spaces after 403 "<html> or you get »500 Internal Server Error«.
Only the following tags are allowed.
<html> <head> <title> <body> <p> <br> <hr> <ul> <li>
ErrorDocument 403 "<html>
<head>
<title>403 Access Forbidden</title>
</head>
<body>
<br><hr><h2>403 Access Forbidden</h2>
<p>You don't have permission to access this resource.</p>
<p>There are at least seven possible reasons :</p>
<p>
<ul>
<li>Are you using an outdated web browser? <br>Upgrade your
web browser to the most recent version to improve the surf experience.</li>
<br><li>A blank User-Agent string.</li>
<li>Index file browsing is forbidden.</li>
<li>A firewall denies the permission.</li>
<li>The server's geotargeting feature does not allow any access.</li>
<li>You are not a human being, you are an unwished web-robot.</li>
<li>You come from a remote host rejected by the server configuration.</li>
</ul>
</p><br>
<hr>
</body>
</html>"
08-Feb 2021